Amendments to the Claims; 



This listing of claims will replace all prior versions, and listings of claims in the 
application. Applicants have submitted a new complete claim set showing any marked up claims 
with insertions indicated by underlining and deletions indicated by strikeouts and/or double 
bracketing. 

Listing of Claims; 

1 . (Currently Amended) A system for processing e-mail comprising: 

a distributed network including a plurality of servers that receive e-mail messages for a 
plurality of different remotely located clients, each of the servers having a packet sniffer that 
extracts originating IP addresses associated with e-mail messages that are communicated to the 
clients over the distributed network; and 

a monitor that communicates with the plurality of packet sniffers and that monitors data 
regarding the originating IP addresses, wherein the monitor is configured to dctcrmine[[s]] 
whether traffic from an originating IP address has exceeded a threshold value, «id the monitor 
being further configured to generate[[s]] a response to detect for us e in d e t e cting spam e-mail 
messages if the threshold value has been exceeded. 

2. (Original) The system of claim 1 wherein each of the servers further includes a 
blacklist containing IP addresses that have been determined to be generating spam e-mail 

messages; and 

wherein each server checks the originating IP addresses of incoming connections to the 
addresses contained in the blacklist, and rejects any connection originating from an address on 

the blacklist. 
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3. (Original) The system of claim 1 wherein each of the servers further includes a 
message switch that determines whether e-mail messages are spam, and communicates e-mail 
messages to clients. 

4. (Original) The system of claim 1 wherein the monitor resides on a server separate 
from the packet sniffers. 

5. (Original) The system of claim 3 further comprising: 

a spam database for storing rules for determining whether e-mail messages are spam; 
wherein the message switch determines whether e-mail messages arc spam based on the 
rules within the spam database. 

6. (Original) The system of claim 5 wherein each rule in the database is assigned a 
score that is used to determine whether an e-mail message is spam. 

7. (Original) The system of claim 6 wherein the response generated by the monitor 
comprises raising the score of a rule corresponding to the originating IP address. 

8. (Original) The system of claim 1 wherein the response generated by the monitor 
comprises an alert that is contmiunicated to a spam analyst. 

9. (Original) The system of claim 2 wherein the response generated by the monitor 
comprises a command to add the originating IP address to the blacklist. 

10. (Original) The system of claim 1 wherein the threshold value comprises a rate 
parameter. 

11. (Original) The system of claim 1 wherein the threshold value comprises a 
maximum total connections parameter. 

12. (Original) The system of claim 1 wherein the monitor determines whether an 
originating IP address has exceeded a threshold value by use of a token bucket algorithm 
including a rate parameter and a maximum connections allowed parameter. 
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13. (Currently Amended) A system for detecting spam e-mail messages in a 
distributed network including a plurality of servers that receive and process e-mail messages for 
a plurality of different remotely located clients, the system comprising: 

a plurality of packet sniffers, each of which is located on a unique one of the plurality of 
servers and extracts originating IP addresses associated with e-mail messages that are 
communicated to clients by the server; and 

a monitor that communicates with the plurality of packet sniffers and that monitors data 
regarding the originating IP addresses, wherein the monitor is configured to determine[[s]] 
whether traffic from an originating IP address has exceeded a threshold value, and the monitor 
being further configured to generate[[s]] a response to detect for use in detecting spam e-mail 
messages if the threshold value has been exceeded. 

14. (Original) The system of claim 13 wherein the monitor resides on a server 
separate fi-om the packet sniffers. 

15. (Original) The system of claim 13 further comprising: 

a blacklist stored on each of the servers, the blacklist including IP addresses that have 
been determined to be generating spam. 

16. (Original) The system of claim 13 further comprising: 

a spam database that stores rules for determining whether e-mail messages are spam; and 

a message switch that determines whether e-mail messages are spam based on the rules 
within the spam database. 

17. (Original) The system of claim 16 wherein each rule in the database is assigned a 
score that is used to determine whether an e-mail message is spam. 

18. (Original) The system of claim 17 wherein the response generated by the monitor 
comprises raising the score of a rule corresponding to the originating IP address. 
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19. (Original) The system of claim 13 wherein the response generated by the monitor 
comprises an alert that is communicated to a spam analyst. 

20. (Original) The system of claim 13 wherein the response generated by the monitor 
comprises a command to the system to block future e-mail messages from the originating IP 
address. 

21. (Original) The system of claim 13 wherein the threshold value comprises a rate 
parameter. 

22. (Original) The system of claim 13 wherein the threshold value comprises a 
maximum total connections parameter. 

23. (Original) The system of claim 13 wherein the monitor determines whether 
fraflfic from an originating IP address has exceeded a threshold value by use of a token bucket 
algorithm including a rate parameter and a maximum connections allowed parameter. 

24. (Currently Amended) A method for processing e-mail and detecting spam e-mail 
messages, comprising: 

routing the e-mail messages through a distributed network including a plurality of servers 
that receive and process e-mail messages for a plurality of different remotely located clients; 

communicating the processed messages to the plurality of remotely located clients by use 
of the plurality of servers; 

exfracting, at the plurality of servers, originating IP addresses associated with e-mail 
messages that are communicated to the plurality of remotely located clients; 

monitoring data regarding originating IP addresses; 

determining whether fraffic from an originating IP address has exceeded a threshold 
value; and 

generating a response for use in detecting spam e-mail messages if the threshold value 
has been exceeded. 
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25. (Original) The method of claim 24 further comprising: 
storing data regarding the originating IP addresses in a database. 

26. (Original) The method of claim 24 further comprising: 
maintaining a list of acceptable IP addresses; 

checking originating IP addresses against the hst; and 

determining whether traffic fi-om an originating IP address has exceeded a threshold 
value only if the originating IP address is not in the list. 

27. (Original) The method of claim 24 wherein the threshold value comprises a rate 
parameter. 

28. (Original) The method of claim 24 wherein the threshold value comprises a 
maximum total connections parameter. 

29. (Original) The method of claim 24 wherein determining whether traffic from an 
originating IP address has exceeded a threshold value is performed by use of a token bucket 
algorithm including a rate parameter and a maximum connections allowed parameter. 

30. (Original) The method of claim 24 further comprising: 

storing IP addresses that have been determined to be generating spam in a blacklist; 

checking originating IP addresses of incoming connections to the servers against the IP 
addresses contained in the blacklist; and 

rejecting any connection originating fi-om an IP address in the blacklist. 

3 1 . (Original) The system of claim 30 wherein the response generated by the monitor 
comprises a command to add the originating IP address to the blacklist. 

32. (Original) The method' of claim 24 fiirther comprising: 

storing rules for determining whether e-mail messages are spam in a spam database; and 
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determining whether e-mail messages are spam based on the rules within the spam 
database. 

33. (Original) The method of claim 32 wherein each rule in the database is assigned a 
score that is used to determine whether an e-mail message is spam. 

34. (Original) The method of claim 33 wherein generating a response comprises 
raising the score of a rule corresponding to the originating IP address. 

35. (Original) The method of claim 24 wherein generating a response comprises 
communicating an alert to a spam analyst. 

36. (Original) The system of claim 24 wherein the response generated by the monitor 
comprises a command to the system to block future e-mail messages from the originating IP 
address. 
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